GET STARTED ON DRIFTCTL
The examples here are based on AWS.
Please follow our documentation to authenticate on Microsoft Azure or Google Cloud Platform.
Welcome to this walkthrough that will get you started on driftctl in a couple of steps. In this blog post, we’ll show the simplest but secure way we can use authentication with AWS and driftctl: a read-only IAM dedicated user and an optional separate IAM profile to access the S3 bucket that contains the Terraform states.
Welcome to this walkthrough that will get you started on driftctl in a couple of steps. In this blog post, we’ll show the simplest but secure way we can use authentication with AWS and driftctl: a read-only IAM dedicated user and an optional separate IAM profile to access the S3 bucket that contains the Terraform states.
Driftctl needs the lowest read-only access rights possible and uses the standard AWS CLI environment variables like AWS_PROFILE
.
So, for example, if you already have an AWS profile configured in ~/.aws/credentials
, to use with Terraform, you can use it directly with driftctl:
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
environment variables, and then use driftctl that will automatically pick them up to authenticate on AWS. Remember to also export a default AWS region AWS_REGION
More information on basic AWS authentication can be found in the AWS CLI User Guide.
It can be as simple as that!
See below if you have to authenticate separately to access the Terraform states inside your S3 bucket.
Though using an already existing AWS profile can be easy to get started, you probably want to choose a more secure option. To begin with, driftctl doesn’t need “write” access to anything! So if you use the same AWS profile as for Terraform, it’s giving too many access rights.
The quick’n’simple path: a Read-Only Policy
Here’s a simple and secure read-only option to get you securely started in less than 2 minutes.
You’re now ready to use driftctl with a dedicated and more secure, read-only, AWS profile:
It’s a common pattern among teams to use a different authentication for the Terraform state files. Sometimes it’s to share a single S3 bucket with different teams, sometimes it’s for fine-grained access control, sometimes it’s just for pure isolation in a different AWS account. You know you’re probably in this case if you have a specially crafted configuration for your S3 backend in Terraform.
Whatever reason you have to need a different user profile, you can use it with driftctl with the DCTL_S3_PROFILE
(for the profile) and DCTL_S3_REGION
(for the S3 bucket region) environment variables.
So, if your AWS profile to access the “mycompany-s3-terraform” S3 bucket is named “s3-terraform” and the different region is “us-west-2”, then the full setup for the environment would look like this:
if you’re interested in discovering more precise authentication options or access policies (like a least-privileged policy), CloudFormation templates, Terraform examples, and more, please consult the driftctl documentation!
Now that you are ready to use driftctl securely, your next step will be to configure your Terraform provider version before you can scan your account for resources not managed by Infrastructure as Code.
Get product updates and occasional news.